xloader | a65fa640ac023cb2207b4707ca53b54ac80fab579b1ab598637850a003b4f2e4

General

Target

comprovante de pagamento.exe
Size

339KB
MD5

cfddc31fa56b6e1a80f29386769bd19e
SHA1

78b41e3c049f5dca11aa3c9679f757461cabea7d
SHA256

a65fa640ac023cb2207b4707ca53b54ac80fab579b1ab598637850a003b4f2e4
SHA512

7b4273d4d8cfd5cbe9234dd459c50f56b34978535c9e7480afce28396623da3586dcf7e6011496881774c6ebc4382a61293b230216bfb252385c3b6e290b55cd

Score

10^/10

xloader cbgo loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

santesha.com

britneysbeautybar.com

sh-cy17.com

jeffcarveragency.com

3117111.com

sobrehosting.net

ddm123.xyz

toxcompliance.com

auditorydesigns.com

vliftfacial.com

ielhii.com

naameliss.com

ritualchariot.com

solchange.com

quatre-vingts.design

lawnmowermashine.com

braceletsstore.net

admappy.com

tollivercoltd.com

vaidix.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4824-134-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4892-142-0x0000000000C00000-0x0000000000C29000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

kefkdcbcrz.exekefkdcbcrz.exe

pid process

3508 kefkdcbcrz.exe
4824 kefkdcbcrz.exe

pid	process
3508	kefkdcbcrz.exe
4824	kefkdcbcrz.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

kefkdcbcrz.exekefkdcbcrz.exewlanext.exe

description	pid	process	target process
PID 3508 set thread context of 4824	3508	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 4824 set thread context of 992	4824	kefkdcbcrz.exe	Explorer.EXE
PID 4892 set thread context of 992	4892	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

kefkdcbcrz.exewlanext.exe

pid	process
4824	kefkdcbcrz.exe
4824	kefkdcbcrz.exe
4824	kefkdcbcrz.exe
4824	kefkdcbcrz.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe
4892	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

992 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

kefkdcbcrz.exewlanext.exe

pid process

4824 kefkdcbcrz.exe
4824 kefkdcbcrz.exe
4824 kefkdcbcrz.exe
4892 wlanext.exe
4892 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kefkdcbcrz.exewlanext.exe

description pid process

Token: SeDebugPrivilege 4824 kefkdcbcrz.exe
Token: SeDebugPrivilege 4892 wlanext.exe

pid	process
992	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4824	kefkdcbcrz.exe
Token: SeDebugPrivilege	4892	wlanext.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

comprovante de pagamento.exekefkdcbcrz.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 2740 wrote to memory of 3508	2740	comprovante de pagamento.exe	kefkdcbcrz.exe
PID 2740 wrote to memory of 3508	2740	comprovante de pagamento.exe	kefkdcbcrz.exe
PID 2740 wrote to memory of 3508	2740	comprovante de pagamento.exe	kefkdcbcrz.exe
PID 3508 wrote to memory of 4824	3508	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 3508 wrote to memory of 4824	3508	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 3508 wrote to memory of 4824	3508	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 3508 wrote to memory of 4824	3508	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 3508 wrote to memory of 4824	3508	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 3508 wrote to memory of 4824	3508	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 992 wrote to memory of 4892	992	Explorer.EXE	wlanext.exe
PID 992 wrote to memory of 4892	992	Explorer.EXE	wlanext.exe
PID 992 wrote to memory of 4892	992	Explorer.EXE	wlanext.exe
PID 4892 wrote to memory of 4568	4892	wlanext.exe	cmd.exe
PID 4892 wrote to memory of 4568	4892	wlanext.exe	cmd.exe
PID 4892 wrote to memory of 4568	4892	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\comprovante de pagamento.exe
"C:\Users\Admin\AppData\Local\Temp\comprovante de pagamento.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe C:\Users\Admin\AppData\Local\Temp\xsytq
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3508

C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe C:\Users\Admin\AppData\Local\Temp\xsytq
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4900

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3736

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe"
3⤵
PID:4568

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv pkU7MsTpUEeLoeCcknV2Ng.0
1⤵
PID:680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bs5210ina7o23q4wlv
MD5
635788a319cc804f7eee6cc85484994d

SHA1
ec66c3089a7ef4905248ea91d5fd5406e081deb0

SHA256
cbfa82c018690de266af6d720c9916dd8236d5f12d65c31fb7bf5c95b4e0a43c

SHA512
f8fb2daeedb1a92b0e206009155f29cde504de7cba69935d47ee63c96fe2734c93becf199adcca6da53357824024ed9636696b08bf9669a4024b2fb5bd8f17ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
MD5
22c779f0c5c8e47aea06b03bdd12ef77

SHA1
14b36e7d3841575db9fceb8a635082cf3447ce25

SHA256
1a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3

SHA512
10b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
MD5
22c779f0c5c8e47aea06b03bdd12ef77

SHA1
14b36e7d3841575db9fceb8a635082cf3447ce25

SHA256
1a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3

SHA512
10b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
MD5
22c779f0c5c8e47aea06b03bdd12ef77

SHA1
14b36e7d3841575db9fceb8a635082cf3447ce25

SHA256
1a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3

SHA512
10b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsytq
MD5
b56fe160e90745d86c9ee74fd026e134

SHA1
2231d8dc79fa27334de455ed5fe3d081490bbc77

SHA256
cf9939352d9884929da9a22c416be384d658efdb818b1da7b257875e7c894a98

SHA512
497604bf3a074f5affa3c52afd69f69db0b44fe1e6d5752a036c4c95ad7e869954f6d69201d54af087bf4583e71e40414260a70ca7db75832d8ae7b75312529e

Download Submit
memory/992-140-0x00000000085F0000-0x000000000871C000-memory.dmp

Filesize
1.2MB

Download
memory/992-145-0x0000000008A20000-0x0000000008ABB000-memory.dmp

Filesize
620KB

Download
memory/4824-136-0x0000000000FD0000-0x000000000131A000-memory.dmp

Filesize
3.3MB

Download
memory/4824-138-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/4824-139-0x0000000000C80000-0x0000000000C91000-memory.dmp

Filesize
68KB

Download
memory/4824-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4892-141-0x0000000000940000-0x0000000000957000-memory.dmp

Filesize
92KB

Download
memory/4892-142-0x0000000000C00000-0x0000000000C29000-memory.dmp

Filesize
164KB

Download
memory/4892-143-0x0000000001320000-0x000000000166A000-memory.dmp

Filesize
3.3MB

Download
memory/4892-144-0x0000000001140000-0x00000000011D0000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads